Information Security
Management, Standards and
best practices
Σ. Κοκολάκης
Με τη συνεισφορά των Μ. Καρύδα και Α.
Τσώχου
Standards &
Standardization Process
• De facto – de jure standards
• Standardization bodies
– ISO (International Organization for
Standardization) National bodies – Technical
Committees
– ΕΛΟΤ (Ελληνικός Οργανισμός Τυποποίησης)
– CEN, ANSI, NIST, BSI
• Processes
– Certification
– Accreditation
2
Why?
• Threat of legal liability
– Organizations and software vendors are being held
to a higher degree of accountability for security, if
not in the courtroom, by their customers
• Business partners and stakeholders
demanding security
– Organizations are challenged to prove they are
managing security to a level that will satisfy their
business partners and stakeholders.
• Proliferation of standards, regulations and
legislation
– Organizations face complex requirements to
comply with a myriad of regulations.
3
Comprehensive IS Management –
Principles Based
• OECD Guidelines for the Security of Information Systems
and Networks (2002): 9 pervasive principles for information
security
• NIST (National Institute of Standards and Technology)
– SP 800-14 Generally Accepted Principles and Practices for
Securing IT Systems, 1996
– SP 800-18, Guide for Developing Security Plans for Federal
Information Systems,1998 (revised 2006)
– SP 800-30 Risk Management Guide for IT Systems, 2002
• IFAC International Guidelines on Information Technology
Management—Managing Information Technology
Planning for Business Impact: International Federation of
Accountants, New York, 1999.
4
Comprehensive IS Management Controls Based
•
•
•
•
•
•
•
•
BS 7799 – Parts 1, 2 & 3 Code of Practice for Information Security
Management (British Standards Institute)
ISO 27001: Information Technology – Information Security Management
Systems - Requirements
ISO 27002: Information Technology – Code of Practice for Information
Security Management (former ISO 17799)
ISO 27003: Information Technology – Information management system
implementation guidance
ISO 27004: Information technology - Information security management Measurement
ISO 27005: Information Technology– Information security risk management
IT Baseline Protection Manual - BSI (Bundesamt für Sicherheit in der
Informationstechnik)
NIST
– 800-53 - Recommended Security Controls for Federal Information Systems
– Several specific standards (e.g. Secure Web Services, PDA security,
5
Implementing HIPAA, Contingency planning, etc.)
Other categories
• Capability Maturity Model
– ISO 21827 System Security Engineering - Capability Maturity
Model (SSE-CMM)
• Product Security Models
– ISO 15408 Common Criteria
– TCSEC, ITSEC
• Business Continuity Management
– ISO24762: Information Technology – Guidelines for information
and communication technology disaster recovery services
– ISO27031: Information Technology – Security Techniques –
Guidelines for ICT readiness for Business Continuity
– BS25999: Business Continuity Management
– ISO18044 – Information technology – Information security incident
management
• Governance Guides
– ISO38500: Corporate guidance of IT
• COBIT – Control Objectives for Information and Related
Technologies (ISACA)
– IT Governance Implementation Guide (ISACA)
6
OECD Guidelines -1“towards a culture of security”
1. Awareness
– Participants should be aware of the need for security of
information systems and networks and what they can do to
enhance security.
2. Responsibility
– All participants are responsible for the security of
information systems and networks.
3. Response
– Participants should act in a timely and co-operative manner
to prevent, detect and respond to security incidents.
4. Ethics
– Participants should respect the legitimate interests of
others.
5. Democracy
– The security of information systems and networks should be
compatible with essential values of a democratic society.7
OECD Guidelines -26.
Risk assessment
–
7.
Participants should conduct risk assessments.
Security design and implementation
–
8.
Participants should incorporate security as an essential
element of information systems and networks.
Security management
–
9.
Participants should adopt a comprehensive approach to
security management.
Reassessment
–
Participants should review and reassess the security of
information systems and networks, and make appropriate
modifications to security policies, practices, measures and
procedures.
8
Information Security Standards
• TCSEC (Orange Book)
• ITSEC
• Common Criteria
9
Standards’ history -1• 1983: Trusted Computer System Evaluation
Criteria (TCSEC) developed in the United
States.
• 1991: Information Technology Security
Evaluation Criteria (ITSEC) version 1.2
published by the European Commission (joint
development by France, Germany, the
Netherlands, and the UK).
• 1993: Canadian Trusted Computer Product
Evaluation Criteria (CTCPEC) version 3.0,
published as a combination of the ITSEC and
TCSEC approaches.
10
Standards’ history -2• 1990: the International Organization for
Standardization (ISO) starts to develop an
international standard evaluation criteria for
general use.
• June 1993: the sponsoring organisations of
the CTCPEC, FC, TCSEC and ITSEC
began a joint activity to align their separate
criteria into a single set of IT security
criteria that could be widely used. This
activity was named the CC Project.
11
Common Criteria -1• Meant to be used as the basis for evaluation of
security properties of IT products and systems.
• Permits comparability between the results of
independent security evaluations.
• Guide for the development of products or systems
with IT security functions and for the procurement
of commercial products and systems with such
functions.
• Addresses protection of information from
unauthorised disclosure,modification, or loss of use
(confidentiality, integrity, availability).
• It is applicable to IT security measures
implemented in hardware, firmware or software.
12
Common Criteria -2• Does not contain security evaluation criteria
pertaining to administrative security measures not
related directly to the IT security measures.
• De facto standard in the US since 1998.
• Accepted as ISO 15408
• Includes
– CC documents
– CC Evaluation Methodology (CEM)
– CC National Scheme
• 7 Evaluation Assurance Levels
– [EAL1 to EAL7]
• 11 Functionality Requirements Classes
• 10 Assurance Requirements Classes
13
Evaluation Context
14
Common Criteria Target Group
• Consumers
They can use the results of evaluations to help decide
whether an evaluated product or system fulfils their security
needs. They can also use the evaluation results to compare
different products or systems.
• Developers
CC can support developers in preparing for and assisting in
the evaluation of their products or systems and in
identifying security requirements to be satisfied by each of
their products or systems.
• Evaluators
The CC contains criteria to be used by evaluators when
forming judgments about the conformance of TOEs to their
security requirements.
• Others
Auditors, Security Officers
15
Common Criteria: Basic concepts
• Protection Profile (PP)
– An implementation-independent set of security
requirements for a category of TOEs that meet specific
consumer needs.
• Target of Evaluation (TOE)
– An IT product or system and its associated administrator
and user guidance documentation that is the subject of an
evaluation.
• Security Target (ST)
– A set of security requirements and
specifications to be used as the basis for
evaluation of an identified TOE.
16
TOE Development Method
• Protection
Profile
(PP)
• Target of
Evaluation
(TOE)
• Security
Target
(ST)
17
ISO 27002 (former 17799)
• First edition: 2000. Current edition: 2005
• Prepared by the British Standards Institution
(as BS 7799) and was adopted by Joint
Technical Committee ISO/IEC JTC 1,
Information Technology, in parallel with its
approval by national bodies of ISO and IEC.
• “Information technology — Code of
practice for information security
management”
18
ISO 27002 as a code of practice
• May be regarded as a starting point
for developing organization specific
guidance.
• Not all of the guidance and controls in
this code of practice may be
applicable.
• Furthermore, additional controls not
included in this document may be
required.
19
ISO 27002
• Gives recommendations for information
security management for use by those who
are responsible for initiating, implementing
or maintaining security in their organization.
• It is intended to provide a common basis for
developing organizational security standards
and effective security management practice
and to provide confidence in interorganizational dealings.
• Recommendations from this standard should
be selected and used in accordance with
applicable laws and regulations.
20
ISO 27002:
Information Security Policy
• Information security policy document
• Review and evaluation
21
ISO 27002:
Organizational Security
• “Information security is a business
responsibility shared by all members of the
management team.”
• Information security infrastructure
– management framework: management fora with
management leadership should be established to
approve the information security policy, assign
security roles and co-ordinate the implementation
of security across the organization
– multi-disciplinary approach to information
security: involving the co-operation and
collaboration of managers, users, administrators,
application designers, auditors and security staff,
and specialist skills in areas such as insurance
and ``
22
ISO 27002:
Asset classification and control
• Asset accountability
– Accountability should remain with the
owner of the asset. Responsibility for
implementing controls may be delegated.
• Information classification
– Information should be classified to
indicate the need, priorities and degree
of protection, depending on varying
degrees of sensitivity and criticality.
23
ISO 27002:
Personnel security
• Security in job definition and resourcing
• User training
– Users should be trained in security procedures
and the correct use of information processing
facilities to minimize possible security risks.
• Responding to security incidents and
malfunctions
– Weaknesses, malfunctions
– Learning from incidents
– Disciplinary process
24
ISO 27002:
Physical and environmental security
• Secure areas
– Security perimeter, entry controls
– Protection provided should be
commensurate with the identified risks.
• Equipment security
– Safety
25
ISO 27002: Communications and
operations management
• Operational procedures and responsibilities
– Incident management procedures
– Segregation of duties
– Separation of development and operational facilities
• System planning and acceptance
– Capacity planning, performance requirements, system
acceptance
•
•
•
•
Protection against malicious software
Back ups, logging
Network management
Media handling
– tapes, disks, cassettes
• Information exchange between organizations
– Policy on Email
– Electronic commerce security
26
ISO 27002: Access control
• Access control policy
• User access management
– Access rights, passwords
• User responsibilities
• Network access control
– Network segregation
•
•
•
•
Operating system access control
Application access control
Monitoring system access and use
Mobile computing and teleworking
27
ISO 27002: Systems development
and maintenance
• Security requirements of systems
– “built-in” security
• Security in application systems
– Message authentication, hash
algorithms, cryptography
• Cryptographic controls
– To protect the confidentiality, authenticity
or integrity of information (encryption,
digital signatures, key management)
28
ISO 27002:
Business continuity management -1• “To counteract interruptions to business
activities and to protect critical business
processes from the effects of major failures
or disasters.”
• A business continuity management process
should be implemented to reduce the
disruption caused by disasters and security
failures (which may be the result of, for
example, natural disasters, accidents,
equipment failures, and deliberate actions)
to an acceptable level through a
combination of preventative and recovery
controls.
29
ISO 27002:
Business continuity management -2• The consequences of disasters, security failures
and loss of service should be analyzed.
Contingency plans should be developed and
implemented to ensure that business processes
can be restored within the required time-scales.
Such plans should be maintained and practiced to
become an integral part of all other management
processes.
• Business continuity management should include
controls to identify and reduce risks, limit the
consequences of damaging incidents, and ensure
the timely resumption of essential operations.
30
ISO 27002: Compliance
• Compliance with legal requirements
– Data protection and privacy of personal
information
– Intellectual property rights (IPR)
– Regulation of cryptographic controls
• Compliance with security policy
31
ISO/IEC 27001: 2005
• Specifies the requirements for
establishing, implementing, operating,
monitoring, reviewing, maintaining and
improving a documented Information
Security Management System (ISMS)
within the context of the organization’s
overall business risks.
• May serve as a suitable basis for
ISMS certification.
32
ISO/IEC 27001: 2005
• Contains requirements for the
implementation of security controls
customized to the needs of individual
organizations or parts of them.
• Contains requirements in a structure
of:
– 11 control clauses that include
– 39 control objectives
– 133 controls
33
The PDCA model of ISO/IEC 27001
34
PLAN: Establish the ISMS
35
Define the scope of ISMS (a.)
Definition of the boundaries of the ISMS
in terms of the characteristics:
• the business,
• the organization,
• its location,
• assets,
• technology,
• justified details of any exclusions from
36
the scope.
Define an ISMS policy (b.)
Definition of an ISMS policy that:
1. includes a framework for setting objectives and
establishes an overall sense of direction and
principles for action with regard to information
security;
2. takes into account business and legal or
regulatory requirements, and contractual security
obligations;
3. aligns with the organization’s strategic risk
management context in which the establishment
and maintenance of the ISMS will take place;
4. establishes criteria against which risk will be
evaluated, and
37
5. has been approved by management.
Risk assessment (c.-d.-e.)
Risk assessment is the process of combining
risk identification, risk analysis and risk
evaluation.
ISO/IEC 13335-1: 2004
The results of the risk assessment will help to
guide and determine the appropriate
management action and priorities for
managing information security risks, and for
implementing controls selected to protect
against these risks.
ISO/IEC 27002: 2005
38
Risk assessment (c.-d.-e.)
The three stages are risk assessment execution:
• Identify a risk assessment methodology that is suited
to the ISMS, and the identified business information
security, legal and regulatory requirements.
• Develop criteria for accepting risks and identify the
acceptable levels of risk.
• Identify the risks (assets, threats, vulnerabilities,
impacts)
• Analyze and evaluate the risks (estimation of level of
risks and evaluation whether they are acceptable or
require treatment).
39
Risk Assessment activities
Risk assessment consists of the
following activities:
• Risk analysis which comprises:
– Risk identification
– Risk estimation
• Risk evaluation
40
Prepare Statement of Applicability
(j.)
The Statement of Applicability shall include
the following:
• the control objectives and controls selected
and the reasons for their selection
• the control objectives and controls currently
implemented, and
• the exclusion of any control objectives and
controls in Annex A and the justification for
their exclusion.
41
DO: Implement and Operate the
ISMS (1)
• Formulate a risk treatment plan, that shall
contain:
–
–
–
–
–
The method selected for treating the risk
What controls are in place
What additional controls are proposed
Time frame for controls’ implementation
Identified acceptable level of risk (and residual
risk)
• Implement the risk treatment plan in order
to achieve the identified control objectives.
42
DO: Implement and Operate the
ISMS (2)
• Implement controls selected to meet the
control objectives.
• Define how to measure the effectiveness of
the selected controls.
• Implement training and awareness
programs.
• Manage operation of the ISMS.
• Manage resources for the ISMS.
• Implement procedures and other controls
capable of enabling prompt detection of
security events and response to security 43
incidents.
CHECK: Monitor and review (1)
Execute monitoring and reviewing procedures and
other controls to:
• promptly detect errors
• promptly identify attempted and successful security
breaches and incidents
• enable management to determine whether the
security activities delegated to people or
implemented by information technology are
performing as expected,
• help detect security events by the use of indicators,
and
• determine whether the actions taken to resolve a
44
breach of security were effective.
CHECK: Monitor and review (2)
• Undertake regular reviews of the effectiveness of the
ISMS.
• Measure the effectiveness of controls to verify that
security requirements have been met.
• Review risk assessments at planned intervals and
review the residual risks and the identified acceptable
levels of risks, taking into account potential changes.
• Conduct internal ISMS audits at planned intervals.
• Update security plans to take into account the findings
of monitoring and reviewing activities.
• Record actions and events that could have an impact
on the effectiveness or performance of the ISMS.
45
ACT: Maintain and Improve the
ISMS
The organization shall regularly:
• Implement the identified improvements in the ISMS.
• Take appropriate corrective and preventive actions
• Apply the lessons learnt from the security
experiences of other organizations and those of the
organization itself.
• Communicate the actions and improvements to all
interested parties
• Ensure that the improvements achieve their intended
objectives.
46
Required documentation (1)
• Documented statements of the ISMS
policy and objectives
• The scope of the ISMS
• Procedures and controls in support of
the ISMS
• A description of the risk assessment
methodology
• The risk assessment report
47
• The risk treatment plan
Required documentation (2)
• Documented procedures needed by
the organization to ensure the
effective planning, operation and
control of its information security
processes and describe how to
measure the effectiveness of controls
• Records required by the ISO/IEC
27001:2005, and
• The Statement of Applicability (SOA).
48
Annex A - Control objectives and
controls
1.
2.
3.
4.
5.
6.
7.
8.
Security Policy
Organizing Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development and
Maintenance
9. Information Security Incident Management
10.Business Continuity Management
11.Compliance
49
Annex A - Control objectives and
controls: Examples (1)
A5: Security Policy
Objective: To provide
management
direction and
support for
information security
in accordance with
business
requirements and
relevant laws and
regulations
A5.1: Information
security policy
document
Control: An information
security policy
document shall be
approved by
management, and
published and
communicated to all
employees and
relevant external
50
parties.
Annex A - Control objectives and
controls: Examples (2)
A.11 Access control
A.11.2 User access
management
Objective: To ensure
authorized user access and
to prevent unauthorized
access to information
systems
A11.2 User responsibilities
• Objective: To prevent
unauthorized user access,
and compromise or theft of
information and information
processing facilities
A11.2.3: User password
management
Control: The allocation of
passwords shall be
controlled through a
formal management
process
A11.2.1: Password use
Control: Users shall be
required to follow good
security practices in
the selection and use
of passwords
51
Trends
• More regulatory and legislative oversight.
• Executive and board oversight of information security.
• ISO27001/ISO27002 have become the de facto
standard for information security program.
• ISO27000 series
–
–
–
–
–
–
ISO27000: Glossary
ISO27003: Implementation of ISMS
ISO27004: Measurement and metrics
ISO27005: Risk management
ISO27006: Accreditation guidelines
ISO27k …to be continued…
52
References
• Γκρίτζαλης Σ., Διασφάλιση και Αξιολόγηση Ασφάλειας
Συστημάτων και Προϊόντων (Κεφ.9), στο Κάτσικας Σ.,
Γκρίτζαλης Δ. και Γκρίτζαλης Σ. (επιμέλεια) Ασφάλεια
Πληροφοριακών Συστημάτων, Εκδόσεις Νέων
Τεχνολογιών, Αθήνα 2004, σελ. 267-315.
• Καρύδα Μ., Πολιτικές Ασφάλειας Πληροφοριακών
Συστημάτων, στο Κάτσικας Σ., Γκρίτζαλης Δ. και
Γκρίτζαλης Σ. (επιμέλεια) Ασφάλεια Πληροφοριακών
Συστημάτων, Εκδόσεις Νέων Τεχνολογιών, Αθήνα
2004, σελ. 377-406.
53